NIST Special Publication

Similar documents
Special Publication

Cybersecurity Risk Management

Why is the CUI Program necessary?

SAC PA Security Frameworks - FISMA and NIST

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Handbook Webinar

Executive Order 13556

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

DFARS , NIST , CDI

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

ROADMAP TO DFARS COMPLIANCE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Defense Industrial Base Compliance Information

Get Compliant with the New DFARS Cybersecurity Requirements

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Rev.1 Solution Brief

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cybersecurity Challenges

INTRODUCTION TO DFARS

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Tinker & The Primes 2017 Innovating Together

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Compliance with NIST

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

COMPLIANCE IN THE CLOUD

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Outline. Other Considerations Q & A. Physical Electronic

Cyber Security Challenges

ISOO CUI Overview for ACSAC

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

DFARS Cyber Rule Considerations For Contractors In 2018

New Process and Regulations for Controlled Unclassified Information

Cyber Security Challenges

Industry Perspectives on Active and Expected Regulatory Actions

INFORMATION ASSURANCE DIRECTORATE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

SYSTEMS ASSET MANAGEMENT POLICY

NW NATURAL CYBER SECURITY 2016.JUNE.16

Assessing Security Requirements for Controlled Unclassified Information

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

2017 SAME Small Business Conference

Agency Guide for FedRAMP Authorizations

Safeguarding Unclassified Controlled Technical Information

The Common Controls Framework BY ADOBE

Exhibit A1-1. Risk Management Framework

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

INFORMATION ASSURANCE DIRECTORATE

HIPAA Security and Privacy Policies & Procedures

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

NYDFS Cybersecurity Regulations

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

Interagency Advisory Board Meeting Agenda, December 7, 2009

COMPLIANCE SCOPING GUIDE

Data Processing Agreement

INFORMATION ASSURANCE DIRECTORATE

Altius IT Policy Collection Compliance and Standards Matrix

Streamlined FISMA Compliance For Hosted Information Systems

Appendix 2B. Supply Chain Risk Management Plan

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Four Deadly Traps of Using Frameworks NIST Examples

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Guide to Understanding FedRAMP. Version 2.0

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

O0001(OCT

INFORMATION ASSURANCE DIRECTORATE

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Altius IT Policy Collection Compliance and Standards Matrix

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Ohio Supercomputer Center

UCOP ITS Systemwide CISO Office Systemwide IT Policy

INFORMATION ASSURANCE DIRECTORATE

The FAR Basic Safeguarding Rule

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

November 20, (Via DFARS Case 2013-D018)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Click to edit Master title style

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

01.0 Policy Responsibilities and Oversight

Fiscal Year 2013 Federal Information Security Management Act Report

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Quick Start Strategy to Compliance DFARS Rob Gillen

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Transcription:

NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline

WHAT IS INFORMATION SECURITY? Personnel Security Operational Security Contingency Planning & Disaster Recovery Cybersecurity Privacy Physical Security 2

NONFEDERAL ORGANIZATIONS SOME EXAMPLES

The CUI Registry www.archives.gov/cui/registry/category-list.html Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

CategorySubcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Subcategory Description: Relating to the production of a consumer product to include that of a private labeler. Marking: MFC

The Big Picture Plan for the protection of CUI Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors DFAR clause 252.204.7008 requires compliance to NIST Special Publication 800-171

PURPOSE WHEN THE CUI IS RESIDENT IN NONFEDERAL INFORMATION SYSTEMS AND ORGANIZATIONS. WHEN THE INFORMATION SYSTEMS WHERE THE CUI RESIDES ARE NOT OPERATED BY ORGANIZATIONS ON BEHALF OF THE FEDERAL GOVERNMENT. WHERE THE CUI DOES NOT HAVE SPECIFIC SAFEGUARDING REQUIREMENTS PRESCRIBED BY THE AUTHORIZING LAW, REGULATION, OR GOVERNMENTWIDE POLICY FOR THE CUI CATEGORY OR SUBCATEGORY LISTED IN THE CUI REGISTRY.

APPLICABILITY THE REQUIREMENTS ARE INTENDED FOR USE BY FEDERAL AGENCIES IN CONTRACTUAL VEHICLES OR OTHER AGREEMENTS ESTABLISHED BETWEEN THOSE AGENCIES AND NONFEDERAL ORGANIZATIONS.

ASSUMPTIONS

NIST SPECIAL PUBLICATION 800-171 REV 1 DECEMBER 2016 HTTP://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-171R1.PDF

Access Control. Audit and Accountability. Awareness and Training. Configuration Management. Identification and Authentication. Incident Response. SECURITY Maintenance. REQUIREMENTS 14 FAMILIES Media Protection. Physical Protection. Personnel Security. Risk Assessment. Security Assessment. System and Communications Protection System and Information Integrity.

STRUCTURE OF SECURITY REQUIREMENTS SECURITY REQUIREMENTS HAVE A WELL-DEFINED STRUCTURE THAT CONSISTS OF THE FOLLOWING COMPONENTS: BASIC SECURITY REQUIREMENTS SECTION. DERIVED SECURITY REQUIREMENTS SECTION.

Security Requirement Configuration Management Example Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: 3.4.3 Track, review, approve/disapprove, and audit changes to information systems. 3.4.4 Analyze the security impact of changes prior to implementation. 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.5

Security Requirement Configuration Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Meeting the Requirements: Develops, documents and maintains a current baseline configuration of the information system Configuration control in place

Security Requirement Configuration Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Meeting the Requirements: Configuration management policy; procedures and plan. Documentation for Enterprise architecture or information system design. Information system configuration settings and associated documentation. Change control records. Personnel with configuration management responsibilities. System/network administrator.

IF THE OFFEROR PROPOSES TO VARY FROM ANY OF THE SECURITY REQUIREMENTS SPECIFIED BY NIST SP 800171 THAT ARE IN EFFECT AT THE TIME THE SOLICITATION IS ISSUED OR AS AUTHORIZED BY THE CONTRACTING OFFICER, THE OFFEROR SHALL SUBMIT TO THE CONTRACTING OFFICER, FOR CONSIDERATION BY THE DOD CHIEF INFORMATION OFFICER (CIO), A WRITTEN EXPLANATION OF (A) WHY A PARTICULAR SECURITY REQUIREMENT IS NOT APPLICABLE; OR (B) HOW AN ALTERNATIVE BUT EQUALLY EFFECTIVE, SECURITY MEASURE IS USED TO COMPENSATE FOR THE INABILITY TO SATISFY A PARTICULAR REQUIREMENT AND ACHIEVE EQUIVALENT PROTECTION.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback